Conductores autoportantes de aluminio 1.) Alcance

11 Método de tratamiento preservante

2.2. Especificaciones técnicas de suministros de materiales y equipos en

2.2.2. Conductores autoportantes de aluminio 1.) Alcance

2. External Wireless Attacker 3. External Wired Attacker

H ome VoI P Solu ti on s 157

neighborhood to connect and see all traffic that is sent in cleartext. Some users enable Wired Equivalent Privacy (WEP) encryption on their wireless devices, but an attacker can crack WEP in about 30 minutes or less. A newer solution, Wi-Fi Protected Access (WPA), is being used more and more to replace WEP, but offline dictionary attacks on WPA can be performed quite easily with tools like Cain & Abel. The use of either of these forms of encryption allows an external attacker, such as a neighbor or even any war driver with a strong wireless antenna, to sniff the traffic and eavesdrop on a user’s VoIP calls.

The final scenario is the one with the most difficult attack surface, but it should still be taken into consideration when addressing security. Because Vonage traffic is sent in cleartext, any malicious user on the DSL/cable segment can sniff the traffic and view the call information. An attacker in Russia who is targeting a user in California will have a tough time targeting the specific network segment; however, an attacker who uses the same broadband provider as another Vonage user could sniff the segment easily. Furthermore, limited access to the network segment definitely reduces the attack surface, and engaging in voice communication that traverses the network in cleartext is not a good policy. As an analogy, most Internet users would not purchase an item online unless encryption (SSL) were being performed by the web browser. Users are trained to look for the security lock on their web browser (or the presence of an https instead of an http in the browser’s address bar) to assure them that any transaction or communication between them and Amazon, eBay, PayPal, or their bank’s website is 100 percent encrypted and thus secure. However, a Vonage user who gives his credit card number over the phone to pay for a pizza has just sent all that credit card information over the Internet in cleartext, which is the equivalent of making a credit card payment in the web browser without the reassurance of SSL.

In order to show the security issues first-hand, the next section will show how an attacker would perform SIP and RTP attacks on a VoIP solution that uses Vonage. Many of these attacks have already been explained in the SIP and RTP chapters but will be customized here to apply specifically to a Vonage environment. Furthermore, only SIP/RTP demonstrations that attack a home user’s network or equipment will be shown, as attacking any Vonage infra- structure is illegal. The following attacks can be initiated on any of the attack surfaces shown in Figure 8-2:

Call eavesdropping (RTP) Voice injection (RTP)

Username/password retrieval (SIP)

Call Eavesdropping (RTP)

RTP is a cleartext protocol, which means it can be sniffed over the network like other cleartext protocols such as telnet, FTP, and HTTP. While sniffing RTP packets is as easy as sniffing telnet packets, getting useful information is not quite as simple. Voice conversations using RTP consist of a collection of

158 Ch ap te r 8

audio packets, with each packet containing a certain part of the audio communication from one endpoint to the other. Capturing a single RTP packet will give the attacker only a single audio slice of a longer conversation.

An easy way to solve this issue without adding more complexity is to use a tool like Cain & Abel or Wireshark. These tools, as well as others, can capture a sequence of RTP packets, reassemble them in the correct order, and save the RTP stream as an audio file (e.g., a .wav file) using the correct audio codec. In this way, any passive attacker can simply point, click, and eavesdrop on almost any VoIP communication.

Performing a man-in-the-middle attack helps ensure the success of VoIP eavesdropping, because it forces targets to send their packets through an attacker on the local subnet. For example, let’s say two trusted parties, Sonia and Kusum, want to communicate via telephone. In order to communicate with Kusum, Sonia dials her phone number. When Kusum answers the phone, Sonia begins her communication process with Kusum. During a man-in-the- middle attack, an attacker intercepts the connection between Sonia and Kusum and acts as a router for the connection. This forces the two endpoints to route through an unauthorized third party. Both Kusum and Sonia can still communicate; however, neither of them will be aware that an unauthorized third party is listening to every word of their conversation. The attack is like having a three-way phone call in which two of the three callers are unaware of the presence of the third party. Figure 8-3 shows a high-level example of a man-in-the-middle attack.

Figure 8-3: Man-in-the-middle attack

NOTE For more information on man-in-the-middle attacks, refer to Chapter 4. 1 IP: 172.16.1.1Switch 4

MAC: 00-00-c5-0e-57-63

Untrusted Third Party IP: 172.16.1.150 MAC: 00-A0-CC-69-89-74

2 3

H ome VoI P Solu ti on s 159

In order to capture Vonage RTP packets, reassemble them, and decode them to .wav files using the correct codec, all the while performing a man-in- the-middle attack, an attacker might use the very popular tool Cain & Abel. To carry out a man-in-the-middle attack according to Figure 8-3 with Cain & Abel, an attacker would perform the following steps:

1. Download Cain & Abel, written by Massimiliano Montoro, from http:// www.oxid.it/cain.html.

2. Install the program using its defaults. Install the WinPCap packet driver as well if one is not already installed.

3. Launch Cain & Abel (Start Programs Cain).

4. Click the green icon in the upper left-hand corner that looks like a network interface card. The attacker will want to check that her NIC card has been identified and enabled correctly by Cain & Abel.

5. Select the Sniffer tab.

6. Click the + symbol on the toolbar. The MAC Address Scanner window will appear. This will enumerate all the MAC addresses on the local subnet.

7. Click OK. See Figure 8-4 for the results.

Figure 8-4: MAC Address Scanner results

8. Select the APR tab on the bottom of the tool to switch to the ARP Pollution Routing interface.

9. Click the + symbol on the toolbar to show all the IP addresses and their MACs. See Figure 8-5.

160 Ch ap te r 8

Figure 8-5: IP addresses and their MACs

10. On the left-hand side of the dialog shown in Figure 8-5, choose the target for the man-in-the-middle attack. Most likely this will be the default gateway in the attacker’s subnet so all packets will go through her first before the real gateway of the subnet.

11. Once the attacker has chosen her target, which is the gateway IP address 172.16.1.1 in our example, she selects the VoIP endpoints on the right side that she wants to intercept traffic from, such as the Vonage base station. If she does not know which IP address is the Vonage device, she simply selects all the IP addresses on the right-hand side. Figure 8-6 shows more detail.

H ome VoI P Solu ti on s 161

12. Select the yellow-and-black icon (the second one from the left on the menu bar) to officially start the man-in-the-middle attack. The untrusted third party will start sending out ARP responses on the network subnet, which will tell 172.16.1.119 that the MAC address of 172.16.1.1 has been updated to 00-00-86-59-C8-94. (See Figure 8-7.)

Figure 8-7: Man-in-the-middle attack in process with ARP poisoning

At this point, all traffic on the local network is going to the untrusted third party first and then on its appropriate route. The attacker can then use Cain & Abel, which provides a VoIP sniffer, to capture RTP packets and reassemble them into .wav files that can be opened with Windows Media Player.

13. Once a Vonage user places a phone call, complete the following steps to view the captured audio information:

a. Select the Sniffer tab on the top row

b. On the bottom row, select VoIP. If VoIP communication has occurred on the network using RTP media streams, Cain & Abel will automatically save the RTP packets, reassemble them, and save them in

.wav format. As shown in Figure 8-8, Cain & Abel has captured a few phone conversations over the network using a few simple steps. Using a man-in-the-middle attack and Cain & Abel’s default VoIP sniffer, an attacker can easily capture, decode, and record all the voice communication on a Vonage network.

162 Ch ap te r 8

Figure 8-8: Captured VoIP communication via RTP packets

Voice Injection (RTP)

RTP is the media layer used by Vonage. In addition to weaknesses that allow VoIP eavesdropping, RTP is also vulnerable to injection attacks. Injection attacks allow malicious entities to inject audio into existing VoIP telephone calls. For example, an attacker could inject an audio file that says “Sell at 118” between two stockbrokers discussing insider trading information.

To inject audio between two VoIP endpoints, RTP packets that mirror

timestamp, sequence, and SSRC information of the real RTP packets must be

used. For example, in a given RTP session, the timestamp usually starts with 0 and increments by the length of the codec content (e.g., 160ms), the sequence

starts with 0 and increments by 1, and the SSRC is usually a static value for the session and a function of time. All three of these values are either predictable in nature or static. The ability to gather the correct timestamp, sequence, and

SSRC information can be quite easy because all of the information traverses the network in cleartext. An attacker can simply sniff the network, read the required information for his attack, and inject his new audio packets. Further- more, because the information is not random, a tool has been written (described in this section) to automate the process and require little effort from the attacker. Figure 8-9 shows an example of the RTP injection process.

Figure 8-9: RTP injection Attacker 1. Established Session RTP Packet RTP Packet 2. Inj ected RTP Packets (with attacker ’s Audio) Time: 790462029 Sequence: 6153 SSRC: 909524487 Time: 790462184 Sequence: 6154 SSRC: 909524487 RTP Packet Time: 79 0462349 Sequence : 6155 SSRC: 909524487 RTP P acket Time: 790462509 Sequence : 6156 SSRC: 9095244 87 RTP Packet Time: 790462669 Sequence: 6157 SSRC: 909524487

H ome VoI P Solu ti on s 163

Notice that the attacker’s SSRC number is the same as its target’s, but its

sequence number and timestamp are in sync with the legitimate session (increas-

ing accordingly). This makes the endpoint assume that the attacker’s packets are part of the real session.

In order to inject audio into VoIP networks that use RTP, an attacker should use RTPInject, a tool that automates the actions needed to inject packets into an existing audio stream. It automatically makes the appropriate changes to the timestamp, sequence, and SSRC values on behalf of the user. The only requirement is the audio file to be injected; however, RTPInject comes with an example audio file by default (for proof of concept purposes). In order to inject audio into an existing VoIP call, an attacker would complete the following steps:

1. Download RTPInject, written by Zane Lackey and Alex Garbutt, from

http://www.isecpartners.com/tools.html. Follow the Readme.txt file for usage on a Windows machine. The Linux version of RTPInject depends on the following packages, which are pre-installed on most modern Linux systems, such as Ubuntu, Red Hat, and the BackTrack Live CD (you must always run it with root privileges):

Python 2.4 or higher GTK 2.8 or higher PyGTK 2.8 or higher

2. Install the pypcap library included with RTPInject by using the following commands:

bash# tar zxvf pypcap-1.1.tar.gz

bash# cd pypcap-1.1

bash# make all

bash# make install (*Note: This step must be performed as root.)

3. Install the dpkt library included with RTPInject by using the following commands:

bash# tar zxvf dpkt-1.6.tar.gz

bash# cd dpkt-1.6

bash# make install

4. Perform a man-in-the-middle attack on the network (if necessary) using dsniff (Linux) or Cain & Abel (Windows), as described earlier in this chapter, in order to capture all RTP streams in the local subnet. 5. Launch RTPInject using the following command:

bash# python rtpinject.py

Once RTPInject is loaded, it will show three fields in its primary screen, including the Source field, the Destination field, and the Voice Codec field. See Figure 8-10. The Source field will be auto-populated as RTPInject sniffs RTP streams on the network.

164 Ch ap te r 8

6. When a new IP address appears in the Source field, click it; it will then show the destination VoIP phone and the voice codec being used in the stream.

Figure 8-10: RTPInject main window

7. Because RTPInject displays the voice codec in use, the attacker can create the audio file with the proper codec she wishes to inject. Using Windows Sound Recorder or Sox for Linux, create an audio file in the file format shown by RTPInject, such as A-Law, u-Law, GSM, G.723, PCM, PCMA, and/or PCMU.

a. Open Windows Sound Recorder (Start Programs Accessories

Entertainment Sound Recorder).

b. Click the Record button, record the audio file, and then click the

Stop button.

c. Select File Save As.

d. Select Change. Under Format, select the codec that was displayed in RTPInject. See Figure 8-11. (Both Windows Sound Recorder and Linux Sox audio utilities provide the ability to transcode any source audio to another type.)

Figure 8-11: Windows Sound Recorder codec

H ome VoI P Solu ti on s 165

8. Once this audio file has been created using Windows Sound Recorder or Sox, click the folder button on RTPInject and navigate to the location of the file recorded in step 6 (depicted in Figure 8-12).

Figure 8-12: Select dialog

9. With the RTP stream and audio file selected, click the Inject button. RTPInject then injects the selected audio file into the destination host in the RTP stream, as shown in Figure 8-13.

166 Ch ap te r 8

In document Pequeño sistema eléctrico asociado a la minicentral hidroeléctrica Catilluc-Tongod líneas-redes primarias y redes secundarias (página 65-71)